Cyber Threat Actor: DarkSly
| Actor Type | Location | Known Incidents |
Criminal
|
Viet Nam
|
2 incidents |
|---|
Profile
DarkSly, also known as DarkSquid, is an individual who identifies as a greyhat hacker and has been linked to Vietnam based on available information. The actor publicly rejects any association with the Vietnamese state‑sponsored group APT32 and insists on operating alone rather than as part of a collective. No evidence has been presented to tie DarkSly to a state nexus or to a criminal consortium.
The actor’s activities have focused on the automotive sector, specifically targeting Hyundai’s Saudi Arabian operations and later Jaguar and LandRover branches across multiple countries in the Middle East and North Africa. The stated goal of the intrusions was financial, as DarkSly demanded a Bitcoin payment in exchange for revealing vulnerabilities and deleting the exfiltrated data, effectively seeking a bug bounty or ransom. The compromised data sets included personal details such as full names, email addresses, cities, bank affiliations, monthly salaries and phone numbers of customers, with no reported exposure of passwords or credit‑card information.
DarkSly’s reported tactics involved the use of a fake website to gain initial entry, after which database credentials and root‑certificate access were obtained, allowing the actor to claim persistent access to the victims’ systems. The hacker also asserted possession of the target’s source code, suggesting that development weaknesses were exploited rather than relying on specific malware families. Notable publicly reported operations include the November 2019 breach of Hyundai Saudi Arabia that exposed roughly 460 000 customer records and the subsequent December 2019 claim of access to Jaguar and LandRover databases spanning Saudi Arabia, Kuwait, the United Arab Emirates, Oman, Egypt, Mexico, Morocco, Lebanon, Iraq, Qatar and Tunisia. These incidents remain the primary examples of DarkSly’s activity as documented in open sources.
